Re: [HACKERS] Getting rid of "accept incoming network connections" prompts on OS X

[ blast-from-the-past department ]

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On 10/25/14 2:52 PM, Tom Lane wrote:
>> And a bit of experimentation later: it seems that on Yosemite (and
>> probably earlier OS X versions), "localhost" maps to all three of these
>> addresses:
>> 127.0.0.1
>> ::1
>> fe80:1::1
>> Binding to 127.0.0.1 does not trigger the firewall popup. Binding
>> to ::1 doesn't, either. But binding to fe80:1::1 does. So the
>> easy fix, for a default installation, is to keep the postmaster
>> from binding to that last address.
>>
>> I'm not sufficiently up on my IPv6 to be sure exactly what that third
>> address does. Perhaps it is a bug in the firewall logic that it
>> considers that address external?

> I think that's exactly it. I have filed a bug with Apple about it.

This came up again today, and I've confirmed that the issue still exists
in current macOS. Did you get any response to your bug report, and if
so what did they say?

BTW, I seem to have typo'd in the above-quoted message --- what's
actually in the problematic line, at least on my Mac, is

fe80::1%lo0 localhost

which is not quite the same address I wrote above. It's definitely
a link-local address though, and the binding to %lo0 does seem to
be understood by macOS, at least to the extent that netstat reports
it:

$ netstat -a -n
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 127.0.0.1.5432 *.* LISTEN
tcp6 0 0 fe80::1%lo0.5432 *.* LISTEN
tcp6 0 0 ::1.5432 *.* LISTEN
... unrelated stuff ...

So either the kernel isn't really treating it as link-local on the
loopback interface, or the firewall doesn't understand that it's
link-local. Either way, sure seems like an Apple bug.

regards, tom lane